Re: Shiro web in JSF Page not working

> On 13 Nov 2015, at 08:40, scSynergy wrote: > > You could have a look at: > https://ops4j1.jira.com/wiki/display/PAXSHIRO/JSF+Support > Perfect! Thank you very much! > > > > -- > View this message in context: > http://shiro-user

Support for extensionless urls?

Hello group, is there any support for filtering urls without looking at the extension? Maybe we have overlooked it. In our use case we work with JavaServer Faces (JSF). In web.xml we map the JSF servlet to .jsf. An example shiro.ini: [urls] /index.jsf = ssl, authBasic You can

Re: Support for extensionless urls?

Matcher.html> > > So something like this should work: > > [urls] > /index* = ssl, authBasic Perfect! Works! Thank you very much > > On Wed, Nov 2, 2016 at 11:30 AM, Björn Raupach <mailto:raup...@me.com>> wrote: > Hello group, > > is there any support for fi

Re: MFA - Possible Solution?

Hi Richard, I am currently working on an implementation for U2F with Apache Shiro. It is still not officially rolled out but it works and I am also not sure if I did it correct. Like you I created two realms. Then however I changed the authentication strategy in the security manager. authcSt

Re: MFA - Possible Solution?

factor. The key point being that there’s a difference in workflow: > User supplies username + password -> System sends token to > user -> User inputs token > vs. > User generates token -> User supplies username, password and > token > > R

Re: MFA - Possible Solution?

JdbcRealm for obtaining an SMS token is a bit dubious because the realm > only returns one token and it’s quite likely if there is an SMS delay that > the user will retry and we’re then left with two tokens generated and the > user may try either. It wasn’t something I thought of wh

HTTP Strict Transport Security (HSTS)

Hello group, as an exercise I went ahead and extended the SslFilter with support for HTTP Strict Transport Security (HSTS). At least I think I did. Not that familiar with the internals. I overrided the method postHandle in SslFilter to add the header. Is this the correct place? Or say the corr

Why do permissions depend on roles?

Hi group, hi Brian, maybe you can help me understand some things about permissions in web applications. I started with with this configuration in shiro.ini (ok, this is an example, not the real one) [main] jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm jdbcRealm.dataSource = $dataSource jdb

RememberMeManager in Database

Hi there, has anyone worked on a RememberMeManager that stores the the credentials in the database? As far as I can tell the current CookieRememberMeManager encrypts the principal and store the encrypted value in a cookie. Identity is restored if we can decrypt the supplied cookie value from t

Re: RememberMeManager in Database

; > Keep us posted! Since we need this feature I can dedicate company time on this matter. Will work on this in my repo and open a pull request once I have something figured out. Might need some help troubleshooting. > -Brian > > > On Tue, Jan 9, 2018 at 10:02 AM, Björn Raupac

Re: RememberMeManager in Database

Not sure where to talk about the proposed feature. JIRA Ticket? Mailing list or GitHub issue/pull request? Anyways here is the link to the implementation: https://github.com/raupachz/shiro/tree/dbcookies The class is called DatabaseRememberMeC

Re: RememberMeManager in Database

Hi Brian, know you are busy. Could you give me some feedback on this? kind regards Björn > On 12. Jan 2018, at 16:44, Björn Raupach wrote: > > Not sure where to talk about the proposed feature. JIRA Ticket? Mailing list > or GitHub issue/pull request? > > Anyways here

Re: RememberMeManager in Database

ntation does. This might be different from what we are trying to achieve. We don’t want the subject in the cookie, but in the database. Otherwise I can’t invalidate cookies for a segment of our users on the server side. Is my assumption correct? > > > > On Fri, Jan 26, 2018 at

Re: hashPassword()?

You can use the Shiro Command Line Hasher. $ java -jar shiro-tools-hasher-1.3.2-cli.jar -gs -p It generates somethings like this: $shiro1$SHA-256$50$E6PdauzOv8tHCyyUYSxOMQ==$HcTjCPThvdtntrRqxIrkaenilDlyMYBOb0Hb7VUfP5Y= Shiro uses a so called modular crypto format. Salt, algorithm everythin